From 583d95af8f722f60cf848e603f12f6c0be0e9a59 Mon Sep 17 00:00:00 2001 From: kstranacher Date: Fri, 10 Feb 2012 16:21:09 +0000 Subject: * Ausbau MOASecurityManager (nicht anwendbar da SecurityManager nur systemweit gesetzt werden kann) * Update ExternalURIResolver mit ExternalURIVerifier der gegen Blackliste checkt git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1238 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../spss/server/MOASecurityManagerExtended.java | 111 -------------- .../moa/spss/server/MOASecurityManagerSimple.java | 163 --------------------- .../server/config/ConfigurationPartsBuilder.java | 20 ++- .../spss/server/config/ConfigurationProvider.java | 51 ++----- .../invoke/CMSSignatureVerificationInvoker.java | 18 +-- .../spss/server/invoke/ExternalURIResolver.java | 4 + .../invoke/SignatureCreationServiceImpl.java | 2 + .../invoke/SignatureVerificationServiceImpl.java | 4 + .../invoke/XMLSignatureVerificationInvoker.java | 6 - .../server/service/SignatureCreationService.java | 2 + .../service/SignatureVerificationService.java | 10 +- .../moa/spss/util/ExternalURIVerifier.java | 63 ++++++++ 12 files changed, 119 insertions(+), 335 deletions(-) delete mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java delete mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java create mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java (limited to 'spss/server/serverlib/src/main/java/at/gv/egovernment/moa') diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java deleted file mode 100644 index 42ee621e6..000000000 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java +++ /dev/null @@ -1,111 +0,0 @@ -package at.gv.egovernment.moa.spss.server; - -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.util.Iterator; -import java.util.List; - -import at.gv.egovernment.moa.logging.Logger; - - -public class MOASecurityManagerExtended extends SecurityManager { - - private List blacklist; - private boolean allowExternalUris; - - public MOASecurityManagerExtended(boolean allowExternalUris, List blacklist) { - this.blacklist = blacklist; - this.allowExternalUris = allowExternalUris; - } - - - /** - * Overwrite checkConnect methods with blacklist check - */ - - public void checkConnect(String host, int port, Object context) { - // System.out.println("checkConnect: " + host + ":" + port); - if (!checkURI(host, port)) - throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); - else { - // System.out.println("Perform checkConnect of given SecurityManager"); - super.checkConnect(host, port, context); - } - } - - public void checkConnect(String host, int port) { - // System.out.println("checkConnect: " + host + ":" + port); - if (!checkURI(host, port)) - throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); - else { - // System.out.println("Perform checkConnect of given SecurityManager"); - super.checkConnect(host, port); - } - } - - private boolean checkURI(String host, int port) { - if (allowExternalUris) { - Iterator it = blacklist.iterator(); - while (it.hasNext()) { - String[] array = (String[])it.next(); - String bhost = array[0]; - String bport = array[1]; - if (bport == null) { - // check only host - if (bhost.equalsIgnoreCase(host)) { - // System.out.println("Security check: " + host + " blacklisted"); - return false; - } - } - else { - // check host and port - int iport = new Integer(bport).intValue(); - if (bhost.equalsIgnoreCase(host) && (iport == port)) { - // System.out.println("Security check: " + host + ":" + port + " blacklisted"); - return false; - } - - } - } - - // System.out.println("Security check: " + host + ":" + port + " allowed"); - return true; - } - else { - String localhost = getLocalhostName(); - if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) { - // System.out.println("Security check: localhost name allowed"); - return true; - } - - // System.out.println("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)"); - return false; - } - } - private String getLocalhostName() { - try { - // save current SecurityManager - SecurityManager sm = System.getSecurityManager(); - // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop) - System.setSecurityManager(null); - - InetAddress localhostaddress = InetAddress.getLocalHost(); - String localhost = localhostaddress.getHostName(); - - // set previously saved SecurityManager - System.setSecurityManager(sm); - - return localhost; - - } - catch (UnknownHostException e) { - // System.out.println("UnknownHostExeption: Returns \"localhost\" as name for localhost"); - return "localhost"; - } - } - - - /** - * Don't overwrite other methods - */ -} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java deleted file mode 100644 index 530a27a48..000000000 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java +++ /dev/null @@ -1,163 +0,0 @@ -package at.gv.egovernment.moa.spss.server; - - -import java.io.FileDescriptor; -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.security.Permission; -import java.util.Iterator; -import java.util.List; - -public class MOASecurityManagerSimple extends SecurityManager { - - private List blacklist; - private boolean allowExternalUris; - - - public MOASecurityManagerSimple(boolean allowExternalUris, List blacklist) { - this.blacklist = blacklist; - this.allowExternalUris = allowExternalUris; - } - - /** - * Overwrite checkConnect methods with blacklist check - */ - - public void checkConnect(String host, int port, Object context) { - if (!checkURI(host, port)) - throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); - } - - public void checkConnect(String host, int port) { - // System.out.println("checkConnect: " + host + ":" + port); - if (!checkURI(host, port)) - throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed"); - } - - private boolean checkURI(String host, int port) { - if (allowExternalUris) { - Iterator it = blacklist.iterator(); - while (it.hasNext()) { - String[] array = (String[])it.next(); - String bhost = array[0]; - String bport = array[1]; - if (bport == null) { - // check only host - if (bhost.equalsIgnoreCase(host)) { - // System.out.println("Security check: " + host + " blacklisted"); - return false; - } - } - else { - // check host and port - int iport = new Integer(bport).intValue(); - if (bhost.equalsIgnoreCase(host) && (iport == port)) { - // System.out.println("Security check: " + host + ":" + port + " blacklisted"); - return false; - } - - } - } - - // System.out.println("Security check: " + host + ":" + port + " allowed"); - return true; - } - else { - String localhost = getLocalhostName(); - if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) { - // System.out.println("Security check: localhost name allowed"); - return true; - } - - // System.out.println("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)"); - return false; - } - } - - private String getLocalhostName() { - try { - // save current SecurityManager - SecurityManager sm = System.getSecurityManager(); - // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop) - System.setSecurityManager(null); - - InetAddress localhostaddress = InetAddress.getLocalHost(); - String localhost = localhostaddress.getHostName(); - - // set previously saved SecurityManager - System.setSecurityManager(sm); - - return localhost; - - } - catch (UnknownHostException e) { - // System.out.println("UnknownHostExeption: Returns \"localhost\" as name for localhost"); - return "localhost"; - } - } - - - /** - * Overwrite all other methods by doing nothing (as no SecurityManager is set initially) - */ - - public void checkAccept(String host, int port) { - } - public void checkAccess(Thread t) { - } - public void checkAccess(ThreadGroup g) { - } - public void checkAwtEventQueueAccess() { - } - public void checkCreateClassLoader() { - } - public void checkDelete(String file) { - } - public void checkExec(String cmd) { - } - public void checkExit(int status) { - } - public void checkLink(String lib) { - } - public void checkListen(int port) { - } - public void checkMemberAccess(Class arg0, int arg1) { - } - public void checkMulticast(InetAddress maddr, byte ttl) { - } - public void checkMulticast(InetAddress maddr) { - } - public void checkPackageAccess(String pkg) { - } - public void checkPackageDefinition(String pkg) { - } - public void checkPermission(Permission perm, Object context) { - } - public void checkPermission(Permission perm) { - } - public void checkPrintJobAccess() { - } - public void checkPropertiesAccess() { - } - public void checkPropertyAccess(String key) { - } - public void checkRead(FileDescriptor fd) { - } - public void checkRead(String file, Object context) { - } - public void checkRead(String file) { - } - public void checkSecurityAccess(String target) { - } - public void checkSetFactory() { - } - public void checkSystemClipboardAccess() { - } - public void checkWrite(FileDescriptor fd) { - } - public void checkWrite(String file) { - } - - - -} diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index abc781303..1211b5e94 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -385,8 +385,8 @@ public class ConfigurationPartsBuilder { Element permitExtUris = (Element)XPathUtils.selectSingleNode(getConfigElem(), PERMIT_EXTERNAL_URIS_XPATH); // if PermitExternalUris element does not exist - don't allow external uris - if (permitExtUris == null) - return false; + if (permitExtUris == null) + return false; else return true; @@ -397,8 +397,8 @@ public class ConfigurationPartsBuilder { * @return */ public List buildPermitExternalUris() { - if (!allowExternalUris()) - return null; + + info("config.33", null); List blacklist = new ArrayList(); @@ -411,7 +411,11 @@ public class ConfigurationPartsBuilder { String host = getElementValue(permitExtElem, CONF + "Host", null); String port = getElementValue(permitExtElem, CONF + "Port", null); - //System.out.println("Host:Port = " + host + ":" + port); + + if (port == null) + info("config.34", new Object[]{host}); + else + info("config.34", new Object[]{host + ":" + port}); String array[] = new String[2]; array[0] = host; @@ -420,6 +424,10 @@ public class ConfigurationPartsBuilder { } + if(blacklist.isEmpty()) // no blacklisted uris given + info("config.36", null); + + return blacklist; } @@ -1205,7 +1213,7 @@ public class ConfigurationPartsBuilder { MessageProvider msg = MessageProvider.getInstance(); String txt = msg.getMessage(messageId, args); - Logger.warn(new LogMsg(txt), t); + Logger.warn(new LogMsg(txt), t); warnings.add(txt); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index bcd9416b8..a5f861c52 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -33,9 +33,7 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.math.BigInteger; -import java.net.InetAddress; import java.net.URL; -import java.net.UnknownHostException; import java.security.Principal; import java.security.cert.X509Certificate; import java.util.ArrayList; @@ -48,8 +46,6 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.logging.LogMsg; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.spss.server.MOASecurityManagerExtended; -import at.gv.egovernment.moa.spss.server.MOASecurityManagerSimple; import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moa.util.DOMUtils; @@ -373,8 +369,11 @@ public class ConfigurationProvider if (allowExternalUris_) blackListedUris_ = builder.buildPermitExternalUris(); - else + else { + info("config.35", null); blackListedUris_ = null; + } + // Set set = crlRetentionIntervals.entrySet(); // Iterator i = set.iterator(); @@ -383,37 +382,7 @@ public class ConfigurationProvider // System.out.println("Key: " + me.getKey() + " - Value: " + me.getValue() ); // } - - // set SecurityManager for permitting/disallowing external URIs - SecurityManager sm = System.getSecurityManager(); - - if (sm == null) { - // no security manager exists - create a new one - Logger.debug(new LogMsg("Create new MOASecurityManagerSimple")); - sm = new MOASecurityManagerSimple(allowExternalUris_, blackListedUris_); - - - Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple")); - System.setSecurityManager(sm); - - } - else { - String classname = sm.getClass().getName(); - if (!classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.server.MOASecurityManagerSimple") && - !classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.server.MOASecurityManagerExtended")) { - // if SecurityManager is not already a MOASecurityManager - - Logger.debug(new LogMsg("Create new MOASecurityManagerExtended (including existing SecurityManager)")); - sm = new MOASecurityManagerExtended(allowExternalUris_, blackListedUris_); - - Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple")); - System.setSecurityManager(sm); - } - Logger.debug(new LogMsg("No new MOASecurityManager instantiated")); - } - - - + } catch (Throwable t) { throw new ConfigurationException("config.11", null, t); } finally { @@ -446,7 +415,15 @@ public class ConfigurationProvider public String getDigestMethodAlgorithmName() { return digestMethodAlgorithmName; } - + + public boolean getAllowExternalUris() { + return this.allowExternalUris_; + } + + public List getBlackListedUris() { + return this.blackListedUris_; + } + /** * Return the name of the canonicalization algorithm used during signature * creation. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index 02d282387..ba2513d2f 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -24,12 +24,6 @@ package at.gv.egovernment.moa.spss.server.invoke; -import java.io.IOException; -import java.io.InputStream; -import java.util.Date; -import java.util.Iterator; -import java.util.List; - import iaik.IAIKException; import iaik.IAIKRuntimeException; import iaik.server.modules.cmsverify.CMSSignatureVerificationModule; @@ -37,9 +31,14 @@ import iaik.server.modules.cmsverify.CMSSignatureVerificationModuleFactory; import iaik.server.modules.cmsverify.CMSSignatureVerificationProfile; import iaik.server.modules.cmsverify.CMSSignatureVerificationResult; +import java.io.IOException; +import java.io.InputStream; +import java.util.Date; +import java.util.Iterator; +import java.util.List; + import at.gv.egovernment.moa.logging.LoggingContext; import at.gv.egovernment.moa.logging.LoggingContextManager; - import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.MOAException; import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent; @@ -102,6 +101,7 @@ public class CMSSignatureVerificationInvoker { */ public VerifyCMSSignatureResponse verifyCMSSignature(VerifyCMSSignatureRequest request) throws MOAException { + CMSSignatureVerificationProfileFactory profileFactory = new CMSSignatureVerificationProfileFactory(request); VerifyCMSSignatureResponseBuilder responseBuilder = @@ -127,7 +127,6 @@ public class CMSSignatureVerificationInvoker { TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId()); try { - // get the signed content signedContent = getSignedContent(request); @@ -142,7 +141,7 @@ public class CMSSignatureVerificationInvoker { CMSSignatureVerificationModuleFactory.getInstance(); module.setLog(new IaikLog(loggingCtx.getNodeID())); - + module.init( signature, signedContent, @@ -152,6 +151,7 @@ public class CMSSignatureVerificationInvoker { while (input.read(buf) > 0); results = module.verifySignature(signingTime); + } catch (IAIKException e) { MOAException moaException = IaikExceptionMapper.getInstance().map(e); throw moaException; diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java index 96c20d4a4..e09ade231 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java @@ -37,6 +37,7 @@ import java.net.URLConnection; import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; +import at.gv.egovernment.moa.spss.util.ExternalURIVerifier; /** * Resolve external URIs and provide them as a stream. @@ -100,6 +101,9 @@ public class ExternalURIResolver { try { // create the URL url = new URL(uriStr); + System.out.println("ExternalURIResolver: " + url); + ExternalURIVerifier.verify(url.getHost(), url.getPort()); + } catch (MalformedURLException e) { throw new MOAApplicationException("2214", new Object[] { uriStr }); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java index 993c8f7a9..b746333e6 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java @@ -57,9 +57,11 @@ public class SignatureCreationServiceImpl extends SignatureCreationService { CreateXMLSignatureResponse response; try { + Configurator.getInstance().init(); ServiceContextUtils.setUpContexts(); response = invoker.createXMLSignature(request, Collections.EMPTY_SET); + return response; } finally { ServiceContextUtils.tearDownContexts(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java index 67bc446b0..5b6033ce1 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java @@ -62,6 +62,7 @@ public class SignatureVerificationServiceImpl Configurator.getInstance().init(); ServiceContextUtils.setUpContexts(); response = invoker.verifyCMSSignature(request); + return response; } finally { ServiceContextUtils.tearDownContexts(); @@ -84,9 +85,12 @@ public class SignatureVerificationServiceImpl VerifyXMLSignatureResponse response; try { + + Configurator.getInstance().init(); ServiceContextUtils.setUpContexts(); response = invoker.verifyXMLSignature(request); + return response; } finally { ServiceContextUtils.tearDownContexts(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index a123dd4fc..adaf0d376 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -212,10 +212,6 @@ public class XMLSignatureVerificationInvoker { module.setLog(new IaikLog(loggingCtx.getNodeID())); - //@TODO - SecurityManager sm = System.getSecurityManager(); - System.setSecurityManager(null); - result = module.verifySignature( xmlSignature, @@ -224,8 +220,6 @@ public class XMLSignatureVerificationInvoker { signingTime, new TransactionId(context.getTransactionID())); - //@TODO - System.setSecurityManager(sm); } catch (IAIKException e) { MOAException moaException = IaikExceptionMapper.getInstance().map(e); throw moaException; diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java index 75f0b1868..3304e262f 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java @@ -82,6 +82,7 @@ public class SignatureCreationService { // handle the request try { + // create a parser and builder for binding API objects to/from XML CreateXMLSignatureRequestParser requestParser = new CreateXMLSignatureRequestParser(); @@ -114,6 +115,7 @@ public class SignatureCreationService { // save response in transaction context.setResponse(response[0]); Logger.trace("---- Leaving SignatureCreationService"); + } catch (MOAException e) { AxisFault fault = AxisFault.makeFault(e); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java index 38310f53b..a1caac6a7 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java @@ -66,8 +66,9 @@ public class SignatureVerificationService { CMSSignatureVerificationInvoker invoker = CMSSignatureVerificationInvoker.getInstance(); Element[] response = new Element[1]; - + try { + // create a parser and builder for binding API objects to/from XML VerifyCMSSignatureRequestParser requestParser = new VerifyCMSSignatureRequestParser(); @@ -93,7 +94,8 @@ public class SignatureVerificationService { // save response in transaction context.setResponse(response[0]); - + + } catch (MOAException e) { AxisFault fault = AxisFault.makeFault(e); fault.setFaultDetail(new Element[] { e.toErrorResponse()}); @@ -128,7 +130,8 @@ public class SignatureVerificationService { Element[] response = new Element[1]; try { - // create a parser and builder for binding API objects to/from XML + + // create a parser and builder for binding API objects to/from XML VerifyXMLSignatureRequestParser requestParser = new VerifyXMLSignatureRequestParser(); VerifyXMLSignatureResponseBuilder responseBuilder = @@ -153,6 +156,7 @@ public class SignatureVerificationService { // save response in transaction context.setResponse(response[0]); + } catch (MOAException e) { AxisFault fault = AxisFault.makeFault(e); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java new file mode 100644 index 000000000..9901212db --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java @@ -0,0 +1,63 @@ +package at.gv.egovernment.moa.spss.util; + +import java.util.Iterator; +import java.util.List; + +import at.gv.egovernment.moa.spss.MOAApplicationException; +import at.gv.egovernment.moa.spss.server.config.ConfigurationException; +import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; + +public class ExternalURIVerifier { + + public static void verify(String host, int port) throws MOAApplicationException { + try { + ConfigurationProvider config = ConfigurationProvider.reload(); +// + boolean allowExternalUris = config.getAllowExternalUris(); + List blacklist = config.getBlackListedUris(); + + + if (allowExternalUris) { + Iterator it = blacklist.iterator(); + while (it.hasNext()) { + String[] array = (String[])it.next(); + String bhost = array[0]; + String bport = array[1]; + if (bport == null) { + // check only host + if (bhost.equalsIgnoreCase(host)) { + System.out.println("Blacklist check: " + host + " blacklisted"); + throw new MOAApplicationException("4002", new Object[]{host}); + } + } + else { + // check host and port + int iport = new Integer(bport).intValue(); + if (bhost.equalsIgnoreCase(host) && (iport == port)) { + System.out.println("Blacklist check: " + host + ":" + port + " blacklisted"); + throw new MOAApplicationException("4002", new Object[]{host + ":" + port}); + } + + } + } + } + else { + if (port == -1) { + System.out.println("No external URI allowed (" + host + ")"); + throw new MOAApplicationException("4001", new Object[]{host}); + } + else { + System.out.println("No external URI allowed (" + host + ":" + port + ")"); + throw new MOAApplicationException("4001", new Object[]{host + ":" + port}); + } + } + + } catch (ConfigurationException e) { + throw new MOAApplicationException("config.10", null); + } + + + + } + +} -- cgit v1.2.3